Dare: Dalvik Retargeting

Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications.

Dare retargeting process overview

Dare adopts a principled approach to Dalvik retargeting. Its typed intermediate representation uses a strong type inference algorithm and allows translation to Java bytecode using only 9 rules for all 257 Dalvik opcodes. An important feature of Dare is its ability to rewrite unverifiable input bytecode so that the output Java bytecode is verifiable. In particular, the use of stronger methods makes it a better retargeting tool than ded, our first (ad hoc) retargeting tool. Dare is more reliable at retargeting Android bytecode and generates verifiable Java bytecode in a vast majority of cases. In order to enable the analysis of retargeted Android code by other researchers, we have made Dare available for download. Both binaries and source code are available from the Dare webpage.

Related Publications

Damien Octeau, Somesh Jha and Patrick McDaniel. Retargeting Android Applications to Java Bytecode. 20th International Symposium on the Foundations of Software Engineering (FSE). Cary, NC. November 2012. Best Artifact Award

Related Tools

Dare


ded: Decompiling Android Applications

Smartphone applications are frequently incompletely vetted, poorly isolated, and installed by users without restraint. Such behavior is fraught with peril: applications containing malicious logic or critical vulnerabilities are likely to be identified only after substantial damage has already occurred. Unfortunately, the limitations of application markets make them a poor agent for certifying that applications are secure.

Android applications are developed in Java but compiled to a platform-specific Dalvik bytecode. Dalvik bytecode runs in a Dalvik virtual machine, which was designed for resource-constrained platforms such as smartphones and tablets. Since existing analysis frameworks target Java source code and bytecode, it is necessary to convert Android applications to these well-known Java formats.

Android application compilation process

ded is a project which aims at decompiling Android applications. The ded tool retargets Android applications in .dex format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications.

ded conversion overview

We used our decompilation techniques to perform a large scale analysis of Android applications. We decompiled the 1,100 most popular applications using ded. The decompiled code was then analyzed using Fortify Source Code Analyzer (SCA). We implemented Android-specific detection rules in Fortify SCA. While this analysis did not reveal any malware, we found that phone identifiers and other personally identifiable information were widely used by Android applications.

Related Publications

William Enck, Damien Octeau Patrick McDaniel and Swarat Chaudhuri. A Study of Android Application Security. Proceedings of the 20th USENIX Security Symposium. San Francisco, CA, August 2011.

Damien Octeau, William Enck and Patrick McDaniel. The ded Decompiler. Technical Report NAS-TR-0140-2010, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA.

Related Tools

ded

Fortify SCA custom rules